Merge pull request #1417 from AndrzejKurek/opaque-keys-ECDSA
Opaque keys ecdsa
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index bff30fc..8baa6b1 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -256,8 +256,8 @@
*/
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
size_t ssize, uint16_t byte_len,
- unsigned char *buf, size_t bufsize,
- size_t* buflen );
+ unsigned char *buf, size_t* buflen,
+ size_t bufsize );
/**
* \brief Convert a signature from numbers to ASN.1
*
@@ -281,6 +281,29 @@
size_t *slen, size_t ssize );
/**
+ * \brief Convert a signature from a raw representation to ASN.1
+ *
+ * \param r First number of the signature
+ * \param s Second number of the signature
+ * \param num_len Length of each number in bytes
+ * \param sig Buffer that will hold the signature
+ * \param slen Length of the signature written
+ * \param ssize Size of the sig buffer
+ *
+ * \note The size of the buffer \c ssize should be at least
+ * `MBEDTLS_ECDSA_MAX_SIG_LEN(grp->pbits)` bytes long if
+ * the signature was produced from curve \c grp,
+ * otherwise this function will return an error.
+ *
+ * \return 0 if successful,
+ * or a MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code
+ *
+ */
+int mbedtls_raw_ecdsa_signature_to_asn1(const unsigned char *r,
+ const unsigned char *s, uint16_t num_len,
+ unsigned char *sig, size_t *slen, size_t ssize );
+
+/**
* \brief Read and verify an ECDSA signature
*
* \param ctx ECDSA context
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 43d001c..96d158b 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -513,7 +513,7 @@
* The output is the group's OID wrapped as ASN.1.
*
* \param grp ECP group used
- * \param buf Buffer to write to
+ * \param p Buffer to write to
* \param size Buffer size
*
* \return Number of bytes written to \c buf,
diff --git a/include/mbedtls/pkcs11_client.h b/include/mbedtls/pkcs11_client.h
index 83aed51..ac858f9 100644
--- a/include/mbedtls/pkcs11_client.h
+++ b/include/mbedtls/pkcs11_client.h
@@ -2,8 +2,9 @@
* \file pkcs11_client.h
*
* \brief Generic wrapper for Cryptoki (PKCS#11) support
- *
- * Copyright (C) 2017, ARM Limited, All Rights Reserved
+ */
+/*
+ * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -46,12 +47,12 @@
#if defined(MBEDTLS_PK_C)
-#define MBEDTLS_PK_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
-#define MBEDTLS_PK_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
-#define MBEDTLS_PK_FLAG_SIGN ( (uint32_t) 0x00000010 )
-#define MBEDTLS_PK_FLAG_VERIFY ( (uint32_t) 0x00000020 )
-#define MBEDTLS_PK_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
-#define MBEDTLS_PK_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
+#define MBEDTLS_PKCS11_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
+#define MBEDTLS_PKCS11_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
+#define MBEDTLS_PKCS11_FLAG_SIGN ( (uint32_t) 0x00000010 )
+#define MBEDTLS_PKCS11_FLAG_VERIFY ( (uint32_t) 0x00000020 )
+#define MBEDTLS_PKCS11_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
+#define MBEDTLS_PKCS11_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
#include "pk.h"
@@ -69,12 +70,11 @@
* \return 0 on success,
* or MBEDTLS_ERR_PK_XXX error code.
*
- * \note The session and the key(s) must remain valid until the
- * PK context is closed with mbedtls_pk_free(). As an
- * exception, it's ok to call mbedtls_pk_free() itself
- * even if the Cryptoki handles have become invalid.
+ * \note If any of the handles become invalid, then you may no
+ * longer do anything with the pk object except call
+ * mbedtls_pk_free on it.
*/
-int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
+int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hPublicKey,
CK_OBJECT_HANDLE hPrivateKey );
@@ -87,36 +87,42 @@
* PKCS#11 token.
*
* \param ctx PK context, which must contain a transparent pk
- * object (type \c MBEDTLS_PK_RSA,
- * \c MBEDTLS_PK_RSASSA_PSS, \c MBEDTLS_PK_ECKEY or
- * \c MBEDTLS_PK_ECDSA).
- * \param flags Mask of \c MBEDTLS_PKCS11_FLAG_XXX and
- * \c MBEDTLS_PK_FLAG_XXX, applying as follows:
- * - \c MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
+ * object (type #MBEDTLS_PK_RSA,
+ * #MBEDTLS_PK_RSASSA_PSS, #MBEDTLS_PK_ECKEY or
+ * #MBEDTLS_PK_ECDSA).
+ * \param flags Mask of #MBEDTLS_PKCS11_FLAG_XXX and
+ * #MBEDTLS_PK_FLAG_XXX, applying as follows:
+ * - #MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
* flag: if set, import as token object; if clear,
* import as session object.
- * - \c MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
- * \c CKA_EXTRACTABLE flag: if set, the key will be
- * extractable at least in wrapped form; if clear,
- * the key will not be extractable at all.
- * - \c MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
- * \c CKA_SENSITIVE flag: if set, the key will be
- * not be extractable in plain form; if clear, the
- * key will be extractable at least in wrapped form.
- * - \c MBEDTLS_PK_FLAG_SIGN: if set, the private key
+ * - #MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
+ * \c CKA_EXTRACTABLE flag: if set, the private key
+ * will be extractable at least in wrapped form; if
+ * clear, the key will not be extractable at all.
+ * - #MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
+ * \c CKA_SENSITIVE flag: if set, the private key
+ * will not be extractable in plain form; if clear,
+ * the key will be extractable in plain form if
+ * #MBEDTLS_PK_FLAG_EXTRACTABLE is set.
+ * - #MBEDTLS_PK_FLAG_SIGN: if set, the private key
* will be authorized for signing.
- * - \c MBEDTLS_PK_FLAG_VERIFY: if set, the public key
+ * - #MBEDTLS_PK_FLAG_VERIFY: if set, the public key
* will be authorized for verification.
- * - \c MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
- * will be authorized for signing.
- * - \c MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
+ * - #MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
+ * will be authorized for decryption.
+ * - #MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
* will be authorized for encryption.
*
- * \param hSession Cryptoki session.
+ * \param hSession Cryptoki session. The session must remain valid as long
+ * as the PK object is in use.
* \param hPublicKey If non-null, on output, Cryptoki handle of the public
- * key. If null, the public key is not imported.
+ * key. This handle must remain valid as long as the PK
+ * object is in use. If null, the public key is not
+ * imported.
* \param hPrivateKey If non-null, on output, Cryptoki handle of the private
- * key. If null, the private key is not imported.
+ * key. This handle must remain valid as long as the PK
+ * object is in use. If null, the private key is not
+ * imported.
*
* \return 0 on success,
* or MBEDTLS_ERR_PK_XXX error code.
@@ -133,7 +139,7 @@
* also failed, for example because the token was
* disconnected.
*/
-int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
+int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
uint32_t flags,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE *hPublicKey,
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 0f33b83..6be57d5 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -289,66 +289,75 @@
/*
* Convert a signature to a raw concatenation of {r, s}
*/
-/*int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
- size_t ssize, uint16_t byte_len,
- unsigned char *buf, size_t* slen )*/
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
size_t ssize, uint16_t byte_len,
- unsigned char *buf, size_t bufsize,
- size_t* buflen )
+ unsigned char *buf, size_t* buflen,
+ size_t bufsize)
{
int ret;
unsigned char *p = (unsigned char *) sig;
+ unsigned char *buf_ptr;
const unsigned char *end = sig + ssize;
- size_t len;
- mbedtls_mpi r, s;
+ size_t len, bytes_skipped;
if( 2 * byte_len > bufsize )
{
- return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
}
- mbedtls_mpi_init( &r );
- mbedtls_mpi_init( &s );
-
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
- goto cleanup;
+ return ret;
}
if( p + len != end )
{
- ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
- goto cleanup;
}
- if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
- ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
- {
- ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
- goto cleanup;
- }
- p = (unsigned char *) buf;
- if( ( ret = mbedtls_mpi_write_binary(&r, p, byte_len) ) )
- {
- ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
- goto cleanup;
- }
- p += byte_len;
- if( ( ret = mbedtls_mpi_write_binary(&s, p, byte_len) ) )
- {
- ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
- goto cleanup;
- }
- *buflen = 2*byte_len;
- cleanup:
- mbedtls_mpi_free( &r );
- mbedtls_mpi_free( &s );
+ /*
+ * Step 1: write R
+ */
+ buf_ptr = buf;
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+ return( ret );
- return( ret );
+ for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
+ if( p[bytes_skipped] != 0 )
+ break;
+
+ if( len - bytes_skipped > bufsize )
+ {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ *buflen = len - bytes_skipped;
+
+ memmove(buf_ptr, &p[bytes_skipped], *buflen);
+ p += len;
+ buf_ptr += *buflen;
+
+ /*
+ * Step 2: write S
+ */
+ if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+ return( ret );
+
+ for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
+ if( p[bytes_skipped] != 0 )
+ break;
+
+ if( len - bytes_skipped + *buflen > bufsize )
+ {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ *buflen += len - bytes_skipped;
+ memmove(buf_ptr, &p[bytes_skipped], len - bytes_skipped);
+
+ return( ret );
}
/*
@@ -373,6 +382,76 @@
*slen = len;
return( 0 );
+ }
+
+int mbedtls_raw_ecdsa_signature_to_asn1( const unsigned char *r,
+ const unsigned char *s, uint16_t num_len,
+ unsigned char *sig, size_t *slen, size_t ssize )
+{
+ int ret;
+ unsigned char *p = sig + ssize;
+ size_t total_len = 0;
+ size_t padding_len = 0;
+
+ /*
+ * Step 1: write S
+ */
+ memmove( p - num_len, s, num_len );
+ p -= num_len;
+ total_len += num_len;
+ if( *p & 0x80 )
+ {
+ if( p - sig < 1 )
+ return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+ *--p = 0x00;
+ padding_len += 1;
+ }
+ total_len += padding_len;
+
+ MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
+ num_len + padding_len ) );
+ MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
+ MBEDTLS_ASN1_INTEGER ) );
+
+ padding_len = 0;
+
+ /*
+ * Step 2: write R
+ */
+ memmove( p - num_len, r, num_len );
+ p -= num_len;
+ total_len += num_len;
+ if( *p & 0x80 )
+ {
+ if( p - sig < 1 )
+ return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+ *--p = 0x00;
+ padding_len += 1;
+ }
+ total_len += padding_len;
+
+ MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
+ num_len + padding_len ) );
+ MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
+ MBEDTLS_ASN1_INTEGER ) );
+
+ /*
+ * Step 3: write rest of the data
+ */
+ MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, total_len ) );
+ MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+ /*
+ * Step 4: move to the beginning of the buffer, zeroize the rest
+ */
+ memmove( sig, p, total_len );
+ memset( sig + total_len, 0, ssize - total_len );
+ *slen = total_len;
+
+ return( 0 );
}
/*
diff --git a/library/pkcs11_client.c b/library/pkcs11_client.c
index 040b971..439c50c 100644
--- a/library/pkcs11_client.c
+++ b/library/pkcs11_client.c
@@ -1,7 +1,7 @@
/*
* Generic wrapper for Cryptoki (PKCS#11) support
*
- * Copyright (C) 2017, ARM Limited, All Rights Reserved
+ * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -29,7 +29,6 @@
#include <stdint.h>
#include <string.h>
-#include <pkcs11.h>
#include "mbedtls/pkcs11_client.h"
@@ -144,7 +143,7 @@
CK_RV rv;
CK_MECHANISM mechanism = {0, NULL_PTR, 0};
CK_ULONG ck_sig_len;
-
+ (void)(md_alg);
/* This function takes size_t arguments but the underlying layer
takes unsigned long. Either type may be smaller than the other.
Legitimate values won't overflow either type but we still need
@@ -180,7 +179,8 @@
* each in the form of a big-endian byte sequence, with r and s
* having the same length as the base point.
*
- * A standard ECDSA signature is encoded in ASN.1:
+ * This library encodes ECDSA signatures in ASN.1 as documented
+ * for mbedtls_ecdsa_write_signature:
* SEQUENCE {
* r INTEGER,
* s INTEGER
@@ -191,9 +191,7 @@
*/
uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 );
size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length );
- mbedtls_mpi r, s;
- mbedtls_mpi_init( &r );
- mbedtls_mpi_init( &s );
+
rv = CKR_OK;
if( ck_sig_len != 2 * byte_len )
{
@@ -201,22 +199,15 @@
rv = CKR_GENERAL_ERROR;
goto ecdsa_exit;
}
- if( mbedtls_mpi_read_binary( &r, sig, byte_len ) != 0 ||
- mbedtls_mpi_read_binary( &s, sig + byte_len, byte_len ) != 0 )
- {
- rv = CKR_HOST_MEMORY;
- goto ecdsa_exit;
- }
+
/* The signature buffer is guaranteed to have enough room for
the encoded signature by the pk_sign interface. */
- if( mbedtls_ecdsa_signature_to_asn1( &r, &s, sig, sig_len, sig_size ) != 0 )
+ if( mbedtls_raw_ecdsa_signature_to_asn1( sig, sig + byte_len, byte_len, sig, sig_len, sig_size ) != 0 )
{
rv = CKR_GENERAL_ERROR;
goto ecdsa_exit;
}
ecdsa_exit:
- mbedtls_mpi_free( &r );
- mbedtls_mpi_free( &s );
if( rv != CKR_OK )
goto exit;
}
@@ -292,8 +283,8 @@
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
}
if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len,
- decoded_sig, 2 * byte_len,
- &decoded_sig_len ) != 0 )
+ decoded_sig, &decoded_sig_len,
+ 2 * byte_len ) != 0 )
{
rv = CKR_GENERAL_ERROR;
goto exit;
@@ -315,7 +306,7 @@
static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11"
, pkcs11_pk_get_bitlen
- , pkcs11_pk_can_do //can_do
+ , pkcs11_pk_can_do
, pkcs11_pk_signature_size
, pkcs11_verify
, pkcs11_sign
@@ -327,7 +318,7 @@
, NULL //debug_func
);
-int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
+int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hPublicKey,
CK_OBJECT_HANDLE hPrivateKey )
@@ -368,7 +359,7 @@
case CKK_ECDSA:
can_do = MBEDTLS_PK_ECKEY;
{
- unsigned char ecParams[16];
+ unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
mbedtls_asn1_buf params_asn1;
mbedtls_ecp_group_id grp_id;
const mbedtls_ecp_curve_info *curve_info;
@@ -416,29 +407,30 @@
CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at,
unsigned char **p, size_t len )
{
- if( mbedtls_mpi_write_binary( mpi, *p, len ) != 0 )
- return( 0 );
+ int ret = mbedtls_mpi_write_binary( mpi, *p, len );
+ if( ret != 0 )
+ return( ret );
attr->type = at;
attr->pValue = *p;
attr->ulValueLen = len;
*p += len;
- return( 1 );
+ return( 0 );
}
-#define MPI_TO_CK( mpi, attr, at, p, len ) \
- do \
- { \
- if( !mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) ) \
- { \
- rv = CKR_ARGUMENTS_BAD; \
- goto exit; \
- } \
- } \
+#define MPI_TO_CK( mpi, attr, at, p, len ) \
+ do \
+ { \
+ if( mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) != 0) \
+ { \
+ rv = CKR_ARGUMENTS_BAD; \
+ goto exit; \
+ } \
+ } \
while( 0 )
#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */
-#define CK_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
+#define MBEDTLS_PKCS11_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
-int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
+int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
uint32_t flags,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE *hPublicKey,
@@ -447,13 +439,13 @@
CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
CK_KEY_TYPE ck_key_type;
- CK_BBOOL ck_sensitive = CK_BOOL( flags & MBEDTLS_PK_FLAG_SENSITIVE );
- CK_BBOOL ck_extractable = CK_BOOL( flags & MBEDTLS_PK_FLAG_EXTRACTABLE );
- CK_BBOOL ck_sign = CK_BOOL( flags & MBEDTLS_PK_FLAG_SIGN );
- CK_BBOOL ck_verify = CK_BOOL( flags & MBEDTLS_PK_FLAG_VERIFY );
- CK_BBOOL ck_decrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_DECRYPT );
- CK_BBOOL ck_encrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_ENCRYPT );
- CK_BBOOL ck_token = CK_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
+ CK_BBOOL ck_sensitive = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SENSITIVE );
+ CK_BBOOL ck_extractable = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_EXTRACTABLE );
+ CK_BBOOL ck_sign = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SIGN );
+ CK_BBOOL ck_verify = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_VERIFY );
+ CK_BBOOL ck_decrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_DECRYPT );
+ CK_BBOOL ck_encrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_ENCRYPT );
+ CK_BBOOL ck_token = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
CK_ATTRIBUTE public_attributes[] = {
{CKA_CLASS, &cko_public_key, sizeof( cko_public_key )},
{CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )},
diff --git a/programs/.gitignore b/programs/.gitignore
index 05fb0b6..60942d76 100644
--- a/programs/.gitignore
+++ b/programs/.gitignore
@@ -49,7 +49,7 @@
test/udp_proxy
util/pem2der
util/strerror
-util/syslog2stderr.so
+test/syslog2stderr.so
x509/cert_app
x509/cert_req
x509/crl_app
diff --git a/programs/Makefile b/programs/Makefile
index 163059b..805ab20 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -278,14 +278,15 @@
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ifndef WINDOWS
-util/syslog2stderr.so: util/syslog2stderr.c
- echo " CC util/syslog2stderr.c"
+test/syslog2stderr.so: test/syslog2stderr.c
+ echo " CC test/syslog2stderr.c"
$(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl
endif
clean:
ifndef WINDOWS
rm -f $(APPS)
+ rm -f test/syslog2stderr.so
else
del /S /Q /F *.o *.exe
endif
diff --git a/programs/test/syslog2stderr.c b/programs/test/syslog2stderr.c
new file mode 100644
index 0000000..3e34985
--- /dev/null
+++ b/programs/test/syslog2stderr.c
@@ -0,0 +1,69 @@
+/** \brief Syslog to stderr wrapper for Unix-like systems
+ *
+ * By dynamically linking this module into an executable, any message sent to the system logs
+ * via the POSIX or Linux API is instead redirected to standard error.
+*
+* Compile this program with `cc -fPID -shared -o syslog2stderr.so syslog2stderr.c -ldl`
+* and load it dynamically when running `myprogram` with
+* `LD_PRELOAD=/path/to/syslog2stderr.so myprogram`.
+* On macOS, replace `LD_PRELOAD` by `DYLD_PRELOAD`.
+ */
+ /**
+ * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#include <dlfcn.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
+
+void openlog( const char *ident, int option, int facility )
+{
+ (void) ident;
+ (void) option;
+ (void) facility;
+}
+
+/* POSIX API */
+void syslog( int priority, const char *format, ... )
+{
+ va_list args;
+ va_start( args, format );
+ vfprintf( stderr, format, args );
+ va_end( args );
+}
+
+/* Linux ABI
+ * http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
+ */
+void __syslog_chk( int priority, int flag, const char *format, ... )
+{
+ va_list args;
+ (int) flag;
+ va_start( args, format );
+ vfprintf( stderr, format, args );
+ fputc( '\n', stderr );
+ va_end( args );
+}
+
+void closelog( void )
+{
+ /* no-op */
+}
diff --git a/programs/util/syslog2stderr.c b/programs/util/syslog2stderr.c
deleted file mode 100644
index 6a636ec..0000000
--- a/programs/util/syslog2stderr.c
+++ /dev/null
@@ -1,41 +0,0 @@
-#include <dlfcn.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-
-
-void openlog( const char *ident, int option, int facility )
-{
- (void) ident;
- (void) option;
- (void) facility;
-}
-
-/* POSIX API */
-void syslog( int priority, const char *format, ... )
-{
- va_list args;
- va_start( args, format );
- vfprintf( stderr, format, args );
- va_end( args );
-}
-
-/* Linux ABI
- * http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
- */
-void __syslog_chk( int priority, int flag, const char *format, ... )
-{
- va_list args;
- (int) flag;
- va_start( args, format );
- vfprintf( stderr, format, args );
- fputc( '\n', stderr );
- va_end( args );
-}
-
-void closelog( void )
-{
- /* no-op */
-}
diff --git a/tests/scripts/pkcs11-client-test.sh b/tests/scripts/pkcs11-client-test.sh
index aaf7d94..05f8192 100755
--- a/tests/scripts/pkcs11-client-test.sh
+++ b/tests/scripts/pkcs11-client-test.sh
@@ -14,14 +14,16 @@
else
unset TOPDIR
fi
+# The SoftHSM library sends error messages to the system logs. If possible, send
+# the messages to standard error instead, by overloading the logging functions.
if [ -n "${TOPDIR+1}" ] &&
- make -C "$TOPDIR/programs" util/syslog2stderr.so >/dev/null 2>&1
+ make -C "$TOPDIR/programs" test/syslog2stderr.so >/dev/null 2>&1
then
case $(uname) in
Darwin)
- export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";;
+ export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
*)
- export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";;
+ export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
esac
fi
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index bf1bcc7..4135519 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -163,6 +163,7 @@
PK opaque minimal
pk_opaque_minimal:
-PK opaque wrapper (RSA)
-depends_on:MBEDTLS_RSA_C
-pk_opaque_wrapper:
+#PK opaque wrapper (RSA)
+#depends_on:MBEDTLS_RSA_C
+#pk_opaque_wrapper:
+#
\ No newline at end of file
diff --git a/tests/suites/test_suite_pkcs11_client.data b/tests/suites/test_suite_pkcs11_client.data
index 1793023..881ca83 100644
--- a/tests/suites/test_suite_pkcs11_client.data
+++ b/tests/suites/test_suite_pkcs11_client.data
@@ -1,19 +1,19 @@
PKCS#11 ECDSA import and sign
-depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
+depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_import_sign:"data_files/server3.key"
PKCS#11 ECDSA generate and sign
-depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
+depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
pk_generate_sign:MBEDTLS_PK_ECDSA
PKCS#11 ECDSA import, sign and verify with Cryptoki
-depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
+depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_import_sign_verify:"data_files/server3.key"
PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki
-depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
+depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_import_verify_signed:"data_files/server3.key"
PKCS#11 ECDSA verify a hardcoded signature with Cryptoki
-depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0
diff --git a/tests/suites/test_suite_pkcs11_client.function b/tests/suites/test_suite_pkcs11_client.function
index 87d1a61..05dd126 100644
--- a/tests/suites/test_suite_pkcs11_client.function
+++ b/tests/suites/test_suite_pkcs11_client.function
@@ -110,8 +110,7 @@
{CKA_DECRYPT, &ck_true, sizeof( ck_true )},
{CKA_SIGN, &ck_true, sizeof( ck_true )},
};
- CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS;
- unsigned char ecParams[16];
+ unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
size_t ecParams_length;
switch( key_type )
@@ -190,7 +189,7 @@
/* Prepare the mbed TLS contexts */
TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx,
mbedtls_pk_info_from_type( key_type ) ) == 0 );
- TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
+ TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession,
hPublicKey,
hPrivateKey ) == 0 );
@@ -201,8 +200,8 @@
#if defined(MBEDTLS_ECDSA_C)
case MBEDTLS_PK_ECDSA:
{
- unsigned char ecParams[16];
- unsigned char ecPoint[128];
+ unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
+ unsigned char ecPoint[MBEDTLS_ECP_MAX_PT_LEN];
CK_ATTRIBUTE public_attributes[] = {
{CKA_EC_PARAMS, ecParams, sizeof( ecParams )},
{CKA_EC_POINT, ecPoint, sizeof( ecPoint )},
@@ -246,7 +245,7 @@
break;
}
- /* Sign with the token and verify in software */
+ /* Sign with cryptoki and verify with mbed TLS */
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
hash_value, 32,
sig_buffer, &sig_length,
@@ -267,7 +266,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
+/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
void pk_import_sign( char *file )
{
mbedtls_pk_context pkcs11_ctx;
@@ -276,7 +275,7 @@
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
- unsigned char sig_buffer[4096];
+ unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
size_t sig_length = sizeof( sig_buffer );
mbedtls_pk_init( &pkcs11_ctx );
@@ -289,20 +288,20 @@
hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
- MBEDTLS_PK_FLAG_SIGN |
- MBEDTLS_PK_FLAG_VERIFY,
+ TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
+ MBEDTLS_PKCS11_FLAG_SIGN |
+ MBEDTLS_PKCS11_FLAG_VERIFY,
hSession,
&hPublicKey,
&hPrivateKey ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
+ TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession,
hPublicKey,
hPrivateKey ) == 0 );
- /* Sign with the token and verify in software */
+ /* Sign with cryptoki and verify with mbedTLS */
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
hash_value, 32,
@@ -324,7 +323,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
+/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
void pk_import_sign_verify( char *file )
{
/* Sign with cryptoki, convert to mbedTLS format and save,
@@ -336,7 +335,7 @@
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
- unsigned char sig_buffer[4096];
+ unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
size_t sig_length = sizeof( sig_buffer );
mbedtls_pk_init( &pkcs11_ctx );
@@ -349,20 +348,20 @@
hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
- MBEDTLS_PK_FLAG_SIGN |
- MBEDTLS_PK_FLAG_VERIFY,
+ TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
+ MBEDTLS_PKCS11_FLAG_SIGN |
+ MBEDTLS_PKCS11_FLAG_VERIFY,
hSession,
&hPublicKey,
&hPrivateKey ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
+ TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession,
hPublicKey,
hPrivateKey ) == 0 );
- /* Sign with the token and verify with cryptoki */
+ /* Sign with cryptoki and verify with cryptoki */
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
hash_value, 32,
@@ -384,7 +383,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
+/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
void pk_import_verify_signed( char *file )
{
/* Sign with mbedTLS, verify by cryptoki with a conversion
@@ -395,7 +394,7 @@
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
- unsigned char sig_buffer[4096];
+ unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
size_t sig_length = sizeof( sig_buffer );
mbedtls_pk_init( &pkcs11_ctx );
@@ -408,19 +407,19 @@
hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
- MBEDTLS_PK_FLAG_SIGN |
- MBEDTLS_PK_FLAG_VERIFY,
+ TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
+ MBEDTLS_PKCS11_FLAG_SIGN |
+ MBEDTLS_PKCS11_FLAG_VERIFY,
hSession,
&hPublicKey,
NULL ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
+ TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession,
hPublicKey,
CK_INVALID_HANDLE ) == 0 );
- /* Sign with the token and verify with cryptoki */
+ /* Sign with mbed TLS and verify with cryptoki */
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256,
hash_value, 32,
@@ -442,7 +441,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C */
+/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PK_C */
void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
char *hash_str, char * sig_str, int ret )
{
@@ -477,14 +476,14 @@
/* Initialize cryptoki and import the key into the token */
hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
- MBEDTLS_PK_FLAG_SIGN |
- MBEDTLS_PK_FLAG_VERIFY,
+ TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
+ MBEDTLS_PKCS11_FLAG_SIGN |
+ MBEDTLS_PKCS11_FLAG_VERIFY,
hSession,
&hPublicKey,
NULL ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
- TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
+ TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession,
hPublicKey,
CK_INVALID_HANDLE ) == 0 );